Ingress in ns twmap using TLS secret twmap-tls. Real client IP is in the X-Forwarded-For header (NOT remote_addr) — the edge speaks PROXY protocol.
apiVersion: apps/v1
kind: Deployment
metadata: { name: myapp, namespace: twmap }
spec:
replicas: 2
selector: { matchLabels: { app: myapp } }
template:
metadata: { labels: { app: myapp } }
spec:
containers:
- name: app
image: your-image:tag
ports: [{ containerPort: 8080 }]
---
apiVersion: v1
kind: Service
metadata: { name: myapp, namespace: twmap }
spec:
selector: { app: myapp }
ports: [{ port: 80, targetPort: 8080 }]
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata: { name: myapp, namespace: twmap }
spec:
ingressClassName: nginx
tls: [{ hosts: ["twmap.mapboss.co.th"], secretName: twmap-tls }]
rules:
- host: twmap.mapboss.co.th
http: { paths: [{ path: /, pathType: Prefix,
backend: { service: { name: myapp, port: { number: 80 } } } }] }
Pick a port in 33000-33019 on IP 192.168.64.220. Many services share the IP via allow-shared-ip on different ports. A new service in-range needs no host change; a brand-new project needs ops to run sudo make web-proxy once.
apiVersion: v1
kind: Service
metadata:
name: myapp-tcp
namespace: twmap
annotations:
metallb.universe.tf/loadBalancerIPs: "192.168.64.220"
metallb.universe.tf/allow-shared-ip: "twmap"
spec:
type: LoadBalancer
selector: { app: myapp }
ports: [{ port: 33000, targetPort: 6379 }]
Your kubeconfig is delivered separately by the platform team (it holds a non-expiring token — keep it secret). Context default namespace: twmap.